“Trust no one, verify everything.” This is the central tenet of Zero Trust, a security model that was developed by former Forrester analyst John Kindervag back in 2010. Over the last decade, the concept has grown steadily in popularity to become one of the most influential cybersecurity frameworks in the industry.
The model aims to address a major shortcoming of the traditional perimeter-based security strategy and long-established mainstay of the industry. Defensive strategies that rely on firewalls and user credentials to keep out threats are powerless to stop attackers that covertly gain network access. The same goes for malicious insiders who overstep their credentials’ boundaries.
Under Zero Trust, users are not considered trustworthy simply because they have legitimate access to the network. Instead, everyone is classed as a potential threat until they can prove otherwise. Every user must pass through additional verification measures such as two-factor authentication before they are granted access to resources.
Building momentum in 2019
Zero Trust has picked up some serious steam in recent years, and 2019 saw strong growth in terms of both awareness and implementation of the model. A report conducted by Cybersecurity Insiders, for example, found that 15 percent of organizations have already enacted a Zero Trust policy, while more than half (59 percent) plan to do so over the next 12 months. Reports also indicate that the global Zero Trust market is currently worth around $15.6 billion.
One of the reasons the model has built up such strong momentum is a high level of support from tech industry heavy hitters such as Google, which has created its own Zero Trust framework called BeyondCorp.
However, Zero Trust also serves as a natural evolution for companies looking to improve their data security maturity. Between the threat of cyber-attacks and increased regulatory burdens, organizations are under tremendous pressure to get their data security and access policies in order. It starts with companies identifying sensitive data on the system, then limiting user access, before finally deploying tools capable of detecting when threat actors attempt to access this data.
These three steps form the ideal platform for implementing Zero Trust. It’s the next logical step for any business that wants to take its commitment to data management and access control to the next level.
Looking ahead to 2020
All signs point to more strong growth for Zero Trust over the next 12 months and beyond. The global Zero Trust market has been projected to grow from the current $15.6 billion to around $28.6 billion by 2024. This represents a huge opportunity for the security industry.
Multiple factors are fueling this growth. Credential theft continues to be one of the mainstays of cyber-attacks, so the additional verification and authentication steps advocated under Zero Trust are critical. Adherences to a Zero Trust framework is also an effective way of combating insider threats. Stronger controls around system access and will naturally prevent users from accessing files outside of their purview, while better oversight into user activity will make it easier to spot privileged users that are abusing their access rights.
Zero Trust also continues to see a high level of promotion and endorsement from tech and security leaders. The National Cyber Security Centre (NCSC), for example, recently published its own Zero Trust Architecture (ZTA) design principles on GitHub to help guide organizations that are looking to implement the framework. For those companies looking to join the migration to Zero Trust in 2020, the three biggest priorities are:
- Obtain a clear picture of permissions and folder structures
- Classify sensitive data on the system
- Implement effective monitoring for key areas such as file access, Active Directory, and email activity.
Achieving these milestones will not only mean a company is ideally positioned to start implementing a Zero Trust model but will immediately deliver improved protection from both external and insider threats.